[lxc-devel] [PATCH] Also drop caps in unpriv containers

Stéphane Graber stgraber at ubuntu.com
Mon Jan 5 12:46:08 UTC 2015 

On Mon, Jan 05, 2015 at 12:41:47PM +0000, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> 
> No objection per se, but can you explain why?  What is the use
> case for this?

Preventing systemd from thinking it's got cap_sys_module.

That's my main use case anyway, also having a lxc.cap.* be silently
discarded just feels weird :)

> 
> > Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
> > ---
> >  src/lxc/conf.c | 22 ++++++++++------------
> >  1 file changed, 10 insertions(+), 12 deletions(-)
> > 
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index 472eb79..72181dd 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -4158,20 +4158,18 @@ int lxc_setup(struct lxc_handler *handler)
> >  		return -1;
> >  	}
> >  
> > -	if (lxc_list_empty(&lxc_conf->id_map)) {
> > -		if (!lxc_list_empty(&lxc_conf->keepcaps)) {
> > -			if (!lxc_list_empty(&lxc_conf->caps)) {
> > -				ERROR("Simultaneously requested dropping and keeping caps");
> > -				return -1;
> > -			}
> > -			if (dropcaps_except(&lxc_conf->keepcaps)) {
> > -				ERROR("failed to keep requested caps");
> > -				return -1;
> > -			}
> > -		} else if (setup_caps(&lxc_conf->caps)) {
> > -			ERROR("failed to drop capabilities");
> > +	if (!lxc_list_empty(&lxc_conf->keepcaps)) {
> > +		if (!lxc_list_empty(&lxc_conf->caps)) {
> > +			ERROR("Simultaneously requested dropping and keeping caps");
> >  			return -1;
> >  		}
> > +		if (dropcaps_except(&lxc_conf->keepcaps)) {
> > +			ERROR("failed to keep requested caps");
> > +			return -1;
> > +		}
> > +	} else if (setup_caps(&lxc_conf->caps)) {
> > +		ERROR("failed to drop capabilities");
> > +		return -1;
> >  	}
> >  
> >  	NOTICE("'%s' is setup.", name);
> > -- 
> > 1.9.1
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150105/b140fe77/attachment.sig>

More information about the lxc-devel mailing list